Microsoft to revamp patching, add exploitability index

By Dennis Fisher, Executive Editor 05 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

We realize no one can do this alone ... We're calling for the security community to work together Mike Reavey, group manager, Microsoft Security Response Center

Microsoft is planning to implement two new security programs designed to broaden its resources for protecting customers, including one program under which the company will give antivirus, security vendors and some customers early access to soon-to-be-patched vulnerabilities.

The idea behind the early-access program is to give security vendors a head start on developing signatures and filters for attacks that follow the release of a new set of Microsoft patches on the second Tuesday of the month. Microsoft will announce its new plans at the Black Hat conference in Las Vegas this week.

Known as the Microsoft Active Protection Program (MAPP), the new plan will be open to security companies that provide defensive technology to large customer bases, meaning antivirus (AV), intrusion detection system (IDS) and intrusion prevention system (IPS) vendors. This kind of early notification is something that other companies have been calling for, and Microsoft officials said they've gotten to the point where they could use some help from the rest of the security community.

Black Hat 2008: Visit our extensive news coverage of Black Hat 2008. Exclusive photos of Black Hat 2008. Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis. EV SSL certificates won't stop phishers, researchers say Two researchers call Extended Validation (EV) SSL certificates a Band-Aid approach, and share their research of the phishing underground. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time.

"We realize no one can do this alone," said Mike Reavey, group manager at the Microsoft Security Response Center. "We're calling for the security community to work together."

In addition to the MAPP announcement, Microsoft also plans to add a new component to its monthly security advisories: an exploitability index. The index will rank vulnerabilities based on the likelihood of someone developing working exploit code for the Microsoft flaws within 30 days immediately following the patch release. Each vulnerability will be assigned one of three labels: consistent, meaning it's likely that reliable exploit code will be developed; inconsistent, meaning some code may appear, but it likely won't work against all machines; and unlikely, meaning there's little chance of usable code being developed.

"This is really geared toward the first 30 days after the release of new updates. We always get questions from customers every month about the likelihood that exploit code will be released for a particular update," Reavey said.

Reavey added that Microsoft found that working exploit code has been released for about 30% of its updates in the last two years.

SearchSecurity radio:

Other security vendors said Microsoft's moves made sense, but may not make a huge difference in the long run.

"The exploitability index is kind of interesting and the first thing I think of is that all of these researchers might see something on the low end of the scale as a challenge," said Fred Pinkett, vice president of product management at Core Security Technologies Inc. in Boston. "It will be interesting to see how it tracks with reality. There are plenty of other vulnerability scoring systems out there already.

"In terms of the advance access to the updates, a day or two isn't going to make much difference to us anyway. We're not in that race. It might help the AV and IDS vendors to have a day or two. But anything that gets earlier protection for the customers is a good thing," Pinkett said.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Windows Security: Alerts, Updates and Best Practices Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability IIS configuration error leads to increased threat, Microsoft says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary